this post was submitted on 30 Mar 2024
1581 points (97.7% liked)

linuxmemes

21226 readers
87 users here now

Hint: :q!


Sister communities:


Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
  • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
  • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.

  • Please report posts and comments that break these rules!

    founded 1 year ago
    MODERATORS
    you are viewing a single comment's thread
    view the rest of the comments
    [–] oce@jlai.lu 80 points 7 months ago* (last edited 7 months ago) (2 children)

    If your security relies on hidden information then it's at risk of being broken at any time by someone who will find the information in some way. Open source security is so much stronger because it works independently of system knowledge. See all the open source cryptography that secures the web for example.
    Open source poc and fix increases awareness of issues and helps everyone to make progress. You will also get much more eyes to verify your analysis and fix, as well as people checking if there could other consequences in other systems. Some security specialists are probably going to create techniques to detect this kind of sophisticated attack in the future.
    This doesn't happen with closed source.
    If some system company/administrator is too lazy to update, the fault is on them, not on the person who made all the information available for your to understand and fix the issue.

    [–] squaresinger@feddit.de 3 points 7 months ago (1 children)

    If the vulnerability is in the wild, what other security mechanisms do you have until it's patched?

    [–] oce@jlai.lu 4 points 7 months ago* (last edited 7 months ago)

    In this case, downgrading to the not affected version. If there's no possible downgrade, stopping the compromised system until it is fixed.
    Keeping the vulnerable system up because you think nobody else should know is a bet, I don't think it's sound. State actors are investing a lot to find and exploit those vulnerabilities, in this case probably even funded the implementation of the vulnerability, so I think you should assume that any vulnerability you discover is already used.